基于VPF部署虚拟网络

earthtoearth

于 2024-07-16 15:48:28 发布

阅读量696

点赞数 9

文章标签：网络网络安全安全

本文链接：https://blog.csdn.net/earthtoearth/article/details/140462167

版权

一、实验目的和拓扑

在防火墙之间构建站点到站点VPN，并且解决防火墙的虚拟防火墙VPF内部和VPF之间的虚拟网络部署问题

二、基本配置

（一）在防火墙上配置VPF

1、FW1设置

ip vpn-instance VRF_IN
ipv4-family
#
ip vpn-instance VRF_OUT
ipv4-family

将两个接口分别加入trust和untrue区域并加入相应的VRF中
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance VRF_OUT
ip address 155.1.121.12 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance VRF_IN
ip address 10.1.12.12 255.255.255.0
#

设置静态路由

[FW1]IP route-static vpn-instance VRF_OUT 0.0.0.0 0 155.1.121.1

验证效果

[FW1]ping -vpn-instance VRF_OUT 150.1.1.1
PING 150.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 150.1.1.1: bytes=56 Sequence=1 ttl=255 time=33 ms

2、FW2设置

#
ip vpn-instance VRF_A
ipv4-family
#

将两个接口分别加入trust和untrue区域并加入相应的VRF中

#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance VRF_A
ip address 155.1.131.13 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance VRF_A
ip address 10.1.13.13 255.255.255.0
#

设置静态路由

ip route-static vpn-instance VRF_A 0.0.0.0 0.0.0.0 155.1.131.1

三、详细配置

（一）配置IPsecVPN

1、FW1配置

#
acl number 3000 vpn-instance VRF_OUT
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm 3des
dh group14
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW2
pre-shared-key HUAWEI
ike-proposal 10
sa binding vpn-instance VRF_OUT //配置IPSEC隧道流量所述的vpn实例
remote-address 155.1.131.13
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW2
proposal LAN_SET

sa trigger-mode auto

sa bingding vpn-instance VRF_A //指定IPsec隧道绑定的vpn实例

2、FW2配置

#
acl number 3000 vpn-instance VRF_A
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW1
pre-shared-key HUAWEI
ike-proposal 10
sa binding vpn-instance VRF_A //配置IPSEC隧道流量所述的vpn实例
remote-address 155.1.121.12
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW1
proposal LAN_SET

sa trigger-mode auto

sa bingding vpn-instance VRF_A //指定IPsec隧道绑定的vpn实例
#

（二）配置安全策略

#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 500
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
action permit
#

（三）多虚拟防火墙VRF之间的渗透

#
ip vpn-instance VRF_IN
ipv4-family
route-distinguisher 12:10
vpn-target 12:10 export-extcommunity
vpn-target 12:155 import-extcommunity
#
ip vpn-instance VRF_OUT
ipv4-family
route-distinguisher 12:155
vpn-target 12:155 export-extcommunity
vpn-target 12:10 import-extcommunity
#

#
bgp 65000
router-id 10.1.12.12
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance VRF_IN
network 10.1.12.0 255.255.255.0
#
ipv4-family vpn-instance VRF_OUT
default-route imported
import-route static
#

验证路由表

[FW1]DIS BGP vpnv4 vpn-instance VRF_IN routing-table
BGP Local router ID is 10.1.12.12
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

VPN-Instance VRF_IN, Router ID 10.1.12.12:

Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.1.12.0/24 0.0.0.0 0 0 i
*> 155.1.121.0/24 155.1.121.12 0 0 i

[FW1]dis ip routing-table vpn-instance VRF_OUT
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_OUT
Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

0.0.0.0/0 Static 60 0 RD 155.1.121.1 GigabitEthernet1/0/0
10.1.12.0/24 BGP 255 0 D 10.1.12.12 GigabitEthernet1/0/1
155.1.121.0/24 Direct 0 0 D 155.1.121.12 GigabitEthernet1/0/0
155.1.121.12/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0

四、结果验证

受防火墙模拟器限制，本结果仅能在真机上完成

earthtoearth

关注

9
点赞
踩
12

收藏

觉得还不错? 一键收藏
0
评论
基于VPF部署虚拟网络

sa binding vpn-instance VRF_OUT //配置IPSEC隧道流量所述的vpn实例。sa binding vpn-instance VRF_A //配置IPSEC隧道流量所述的vpn实例。sa bingding vpn-instance VRF_A //指定IPsec隧道绑定的vpn实例。在防火墙之间构建站点到站点VPN，并且解决防火墙的虚拟防火墙VPF内部和VPF之间的虚拟网络部署问题。（三）多虚拟防火墙VRF之间的渗透。（一）在防火墙上配置VPF。
复制链接

扫一扫